A UK view on Cyber, Information & IT Security by Security Expert Dave Whitelegg. Providing advice and explaining security for everyone, and also contemplating advanced themes and future trends in security.
With a focus on all the latest developments & issues within the UK Information Security space such as Hacking, DDoS, Botnets, Malware, Identity Theft, Data Protection (DPA) and regulatory compliance like PCI DSS & ISO27001:2013, all will be explained in an easy to understand way.

Friday, 20 March 2009

UK Payment Card Fraud Continues to Soar

APACS, a UK trade association for payments and payment service providers, released their annual statistics on UK payment (credit) card fraud losses. As expected the APACS statistics shows UK payment card fraud is continuing to rise, breaking the £600 Million a year mark for the first time. 2008 fraud figures announced by APACS

In these times of billion pound bank bailouts, these figures might seem small fry, but we should remember these fraud costs are indirectly paid for by all of us payment card holders, and are recouped by card providers through higher interest rates and various charges. The card issuers and banks do cover consumers against payment card fraud losses and usually reimburse all fraudulent card transactoins, but just as insurance fraud losses are factored into our insurance premiums, payment card fraud losses are passed on to consumers, so in the grand scheme of things we all foot the bill for payment card fraud in UK. So we really ought to care more about these rising trends in UK payment card fraud, which increased by 14% in 2008. We should be questioning what the payment card industry and merchants are doing in tackling this problem and protecting our payment card information.

Another factor card issuers and banks overlook, is the personal stress and inconvenience card fraud causes the victim, especially if a bank card is compromised.

I’ll break down the APACS stats in another blog entry over the next couple days, explaining the trend, and the impact of the introduction of Chip & Pin in the UK.

As APACS released UK payment card fraud losses stats for 2008, the BBC published an undercover investigation report, which exposed how UK payment cards and personal details can be stolen to order from an India Call Centre. BBC Overseas credit card scam exposed Call Centres are one of the prime locations for targeted information theft, and particularly with internal based payment card information theft. It’s can be such a lucrative trade, so no surprisingly Call Centres are actively specifically targeted and even infiltrated by criminal gangs.

UK based Call Centres are problematic enough to secure against these types of threats, however where UK companies outsource or move their call centre function offshore to save money, so the risk of fraud, in my view, increases. Why? Well to be perfectly blunt crime rates are just a lot higher and less controlled in places like India than in the UK. Secondly UK companies generally do a very poor job of validating the security of their offshore and are mostly third party operated Call Centre due to the distant location. Companies often assume the required security policies and procedures are being practiced, and rarely conduct on-site security audits of the offshore Call Centre. Finally it is extremely difficult to criminal and credit check nationals in countries like India, because of the population size and commonality of names. So it is of no real surprise to me when I read these types of stories, as it’s been happening for years now. I guess due to quick reimbursement process with UK card fraud, UK consumers tend not to question how their card details were stolen in the first place, and so such Call Centre operations aren’t put under the required scrutiny. I always avoid providing my card details over phone to anyone at all costs; it’s actually safer to pay online or in person than to tell someone you can’t even see your card and personal information.

The Payment Card Industry (PCI) has a Data Security Standard (PCI-DSS), which all merchants and payment processes are suppose to comply with, but what I find interesting in my card fraud research, is most Call Centres, UK based or not, just aren’t complying with the PCI standard. It’s routine to record all calls, so these voice recordings end holding volumes of card information and are often left unprotected, while operators routinely write down full payment card details, including the 3 digit security code, often known as the CVV2 number. According to PCI DSS requirements, the three digit security code is not allowed to be stored (written down), and that’s for a good reason, to help prevent card fraud.

So if you are a generally low paid Call Centre operator, you have all the information you need to commit card fraud against countless victims, a full name, a full address, full card number, card expiry date and the security code, plus other personal data such as email address. Combining a payment card with a profile of the personal details about the payment card holder, increases the black market value ten fold. I find most dodgy Call Centre operators who “skim” card payment details, don’t actually commit the card fraud transactions themselves, but they tend to sell the card information on to other criminals, so a real division labour.

Thanks to the global economic down turn, and judging by what I'm seeing on the ground, I think its safe to say UK payment card fraud will continue to soar into 2009. As payment card holders, be mindful in protecting your card information, so when that hotel receptionist over the phone asks for your card CVV2 number as part of the booking process, question it and refuse. And most importantly scrutinise your card statements, as an unknown percentage of card fraud goes completely unnoticed by us consumers, and so is not being refunded by card issuers and does not appear on those APACS card fraud statistics.

5 comments:

Interested to see your claim that some data centres are recording customers' CVV2 numbers on audio files or paper. Surely the answer here is for issuers to start using one-time codes - which will strongly authenticate users, but give nothing away that an employee of the call centre (or anyone else who happens to intercept calls/electronic traffic) can use?

Support Bloggers Rights

About Me

ShareThis

Disclaimer

This is a personal website, all views or opinions represented in this blog are personal to Dave Whitelegg and guest bloggers that post, and do not represent the views or opinions of any business or organisation. All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information.

All original content copyright David Whitelegg 2007-2016. You may not use any original content with. Awesome Inc. theme. Powered by Blogger.